# Copy to .env and fill in values before starting in production.
# Generate SESSION_SECRET with: openssl rand -hex 32

SESSION_SECRET=replace-with-a-random-64-character-hex-string
SESSION_MAX_AGE_HOURS=168   # default: 168 (7 days)
PORT=3000
DB_PATH=/app/data/check-printing.db

# Public base URL of the app — used to build password reset links.
# Strongly recommended in production (prevents host-header link poisoning).
APP_BASE_URL=https://checks.example.com

# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs
# and HTTPS detection work correctly. Leave unset for direct LAN access.
TRUST_PROXY=

# OIDC / SSO (optional — omit or leave blank to disable)
OIDC_ENABLED=false
OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=https://checks.example.com/api/auth/oidc/callback
OIDC_BUTTON_LABEL=Sign in with SSO